e28c78d60d84f812803eaf65612b5daae221a405e95d5605c684ffd7984eedf5

Analysis

max time kernel
117s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/01/2025, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe
Size

102KB
MD5

27a2b208944a1c98ab02dcdc787e60fd
SHA1

e03209c05baf8972e326f9b094f8d6f90ac708bd
SHA256

e28c78d60d84f812803eaf65612b5daae221a405e95d5605c684ffd7984eedf5
SHA512

d65c183678e181e52a03f5bd5901764c7cd99fdc46b65faf08c1ef7d0f0eb3fb7937404f12d280b57584cecfed292143e764e8167b4331c29e436a00569e3d53
SSDEEP

3072:830EyeLSq9888OP487vRZ3Wwrl6qXxVFi9X3kun:8EEyeLSq9kYhvhrcqhgl

Score

10^/10

adware defense_evasion discovery stealer trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 3 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe

Deletes itself 1 IoCs

pid	Process
1868	cmd.exe

Windows security modification 2 TTPs 3 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{39fc2065-c9c7-49cd-8942-44cc2dedc844}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\NoExplorer = "1"	regsvr32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ieocx.dll	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies Control Panel 3 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\don't load	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\don't load\scui.cpl = "No"	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\don't load\wscui.cpl = "No"	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007618d8826add6546ab3ade175b60739300000000020000000000106600000001000020000000d29b05333a9031d20717b598978440cabf6cd65466bf49bf1155e087b837a302000000000e8000000002000020000000aa7e4478bf4989341ec80db4bba255741b4a23ed565c4e0971269ccd141bb2ee2000000056d6be669ce5ef2bba333247662ef86238a3c2906d769b9eb4f50aa3212a69d8400000002507ea71a7fad3c94669d3853325351b473dfd0b2327b8de16833041280b45ca280588949745c4506faf6994bfb4909724b6a8a3e091155e5f615f13eaf2bdc5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 101ef1c3d56edb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007618d8826add6546ab3ade175b6073930000000002000000000010660000000100002000000018cdc802d5ec9f6e087a36b34ac72bbe19b704d6f00781af05f1c9933c7a46c9000000000e800000000200002000000007a80e902ea1782dc7b4f32971d1fdc164cb364887ccd9ff0e03441c81c9de43900000006a55d945a9f395a07a9e4e014560d1bbf962ec0a026d026efe4add86b61e06667c7bc7df2df226da04cf1d4d5d44bdcb44ccd639f0436f9e102eb4a3df2c7fba95ff4a4e6808afe184a248c94b8a55ee9f094bccb0ed12a60717706dce9e3d51cb18188c5718449b2c13e2d0d6d5cc3be6c72e27cfaeb02fddbeba710edbdebb5a9d35454a4a4547febbefb3788cd8b44000000046572d4c8bdf40fb163931eee3fa484637811a381c3c296f57d37edd1c1edbc19af13ec62280d5cedf71bc19cd031d1c5aa6ac61a550aa6849b5b68d629852ed	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443936066"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EDDDD7E1-DAC8-11EF-8C8D-7E918DD97D05} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\InprocServer32\ = "C:\\Windows\\ieocx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet\ = "WinInet Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet\CurVer\ = "WinInetApp.WinInet.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet.1\ = "WinInet Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet\CLSID\ = "{39fc2065-c9c7-49cd-8942-44cc2dedc844}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\ProgID\ = "WinInetApp.WinInet.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\VersionIndependentProgID\ = "WinInetApp.WinInet"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR\ = "C:\\Windows"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet.1\CLSID\ = "{39fc2065-c9c7-49cd-8942-44cc2dedc844}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\ = "WinInet 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\TypeLib\ = "{b360243e-09e8-402f-8721-00b6798089ad}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32\ = "C:\\Windows\\ieocx.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\ = "WinInet Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}"	regsvr32.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1692	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1692	iexplore.exe
1692	iexplore.exe
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 536	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	31
PID 576 wrote to memory of 536	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	31
PID 576 wrote to memory of 536	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	31
PID 576 wrote to memory of 536	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	31
PID 576 wrote to memory of 536	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	31
PID 576 wrote to memory of 536	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	31
PID 576 wrote to memory of 536	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	31
PID 576 wrote to memory of 1936	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	32
PID 576 wrote to memory of 1936	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	32
PID 576 wrote to memory of 1936	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	32
PID 576 wrote to memory of 1936	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	32
PID 1936 wrote to memory of 2244	1936	net.exe	34
PID 1936 wrote to memory of 2244	1936	net.exe	34
PID 1936 wrote to memory of 2244	1936	net.exe	34
PID 1936 wrote to memory of 2244	1936	net.exe	34
PID 576 wrote to memory of 1692	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	35
PID 576 wrote to memory of 1692	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	35
PID 576 wrote to memory of 1692	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	35
PID 576 wrote to memory of 1692	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	35
PID 1692 wrote to memory of 2824	1692	iexplore.exe	36
PID 1692 wrote to memory of 2824	1692	iexplore.exe	36
PID 1692 wrote to memory of 2824	1692	iexplore.exe	36
PID 1692 wrote to memory of 2824	1692	iexplore.exe	36
PID 576 wrote to memory of 1868	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	38
PID 576 wrote to memory of 1868	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	38
PID 576 wrote to memory of 1868	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	38
PID 576 wrote to memory of 1868	576	JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe	38

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_27a2b208944a1c98ab02dcdc787e60fd.exe"
1⤵
- Windows security bypass
- Windows security modification
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s C:\Windows\ieocx.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:536
- C:\Windows\SysWOW64\net.exe
  C:\Windows\system32\net.exe stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2244
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://truepornvideo.com/videosz.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1692 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\bhs.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bab5f31a224d0f6abc09bc4a1a7f5f43

SHA1
2ba4cda4ce223bf6fc1108fa466e010cc579bb7d

SHA256
e95f9c3875ee44f6145bc7d084300574cf4d9cefffddc7e4fdf5dcce8e28e718

SHA512
61c4e6f3ac13fd9a93275e91dd09d3caf39d69419a0f417bd6084b43ed3b12aa2090d01720cc8a5bc14ca754cd77b47f55d06fe3426aabbfb8a705b3a6832620

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d36426f402833965ad393c3a2e95f860

SHA1
b4cdc0325762a07e1d7f50590a60e143cadc5b93

SHA256
15dc532d822fce18b93f92a48bbc72346d7bce031532f72f516f793aa25e1233

SHA512
5d99c98d87a592f4084773a016355e89351901694687e420ceb5cca44efbcd55278a0aad5bc05c05014e2c2b5558e21f2163b1fdeb5630a4567cfb94d404784e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95068ebe74047de5361d4753c928dd45

SHA1
2e9d2357356f2eb3f6f4dfb6310745139359c919

SHA256
5d6a3ef5bf4b972196a8c8e6b06d47db8414d4ffb55c3208c8d76fa6d3279496

SHA512
d56361e440ecca3bf4abceee311a7def3e6cc1ba790dce36092ca7b64687aa597a3cfbf8177efd454670a5d1e20f0edfac945d2e1db86c405b0cfbfa9fc1a9a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f28892fca9fc21d0b13529944c5be786

SHA1
358e45822b207061c79a1f06a22f0b4925a1fce0

SHA256
5e4a1ba6995e5f0bcb1868d2abd2e1ecb34ecfb9612859cbd4fc4df0e67628da

SHA512
7e543b38646f0b86d5ce7678029566cedf3460b2b7f9305b3af6c9127cf777c5ccb8d62d2cbfd37aaa851550b97c0ebfe02aa0bfb076f0952264ed4fb5fc3edf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29762a8a6c5b2c880d92e1e7507c4fc2

SHA1
0f3a80e97b7d1b12a839284f0fe7b82916d9b886

SHA256
7b3898ae0165fcf72a3398ac6e70aee730c2c866dbdee59d508158e671abddfb

SHA512
fb1de7e82088d504cbc656f71240b9aeb43088f47abfa4767b719ca768cb158e7aaf3f269446c68f1aa582eed0dc38cb8ac2be8d8cb8edd7a4f056a0854e4b26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dabff134f774cc9c646e9156efd2417d

SHA1
885098114e0e25d73b42c6a0444d24eb909d8df7

SHA256
626f77afc56f508397065f53fd36cd257fec258182d8fbe54e870a01969d367e

SHA512
9e9aecb631d692a56ab5dee65004eefeb3d32a39606d379cab6e1fa3453d64a6f09dfeae3d8ced11fd2732c3388c0805f3ce5960162304ab6661902c08ae0537

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dad6bab0d1121f86fd94877f7ec9bd9a

SHA1
fd239273c3154cd2b735558129144b0bbce33a34

SHA256
be1191f9e6d0da2a5ba5586df63bc7a77d38b34c6d1d77dc086570229a766b99

SHA512
f8308b045fb6003014fdd1c21ce361c55ffcd272f8f9f30aa2d39b847714fce7b9281181b2e3d78c9db358566bb53f7f82f03f8ce5c1229ad10e8350c01c8cea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d272bb56020bc2171bb594ccfcf4fca

SHA1
bfe542e312d5212a37cfd559504eb835580bc660

SHA256
2e24c7c52a4a9e52d7054fd8c7c3602e3312580671af52602f037ebef445adbe

SHA512
c9172d89d9d894e1454169f677032aa667a0842186bb9deea0b934b5d068a144da6151c5f13602168c24febe7d3614e5dd9a73662cb5e268a299289a4f5a0aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a968ed997fbbba3b8c97c622f668a305

SHA1
44e6387d6b12f72e5639e82acc9a9f888e0f1dbc

SHA256
bf95399471163931296cb9883c41fe9abc76c34ccc7146ac8a7b3509981e3a7e

SHA512
232155e8a97d6150507df1f235b93c70ebb8fbf391e5bae85080b16b7dbe562cbf0b2bdbc19c610b0a974537bea05ab9dbe309ca2c69ff20e387019924782d87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
687827167414e730a70cc851c4ec9c23

SHA1
7644309f448a6d0f51a752debb905758f7d9ee51

SHA256
b056d0c5ff3ebe923a53cbf86453bf6899a8aa6162480d703c5d9215a97c7ce6

SHA512
7784af45064f48687217027ad279704b7c168a4c7148acdd8a4d712e48df2522f2eb2955d6a04319c5e5ea358ac3b4482d8d53225a2fe6c1f4fc04cdecad0448

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6931e47f2381525732eecade5a76dfcb

SHA1
52f3b3698872590a858ae107157a582543b88f67

SHA256
0fc0e2ad47c3832b898781eb993c0410d56090461e8d5bad522dbdd7e65e363b

SHA512
9e9e79a1e7fc0dfa441c4eb7934214327a5e9c671f4e59fefca9b744b022594c4fce1f7fb096174fd24b329f42c2d5240d926756731807d0dbe953b45def5dac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08b598a9d999bd93fae2f10d907cb57f

SHA1
8aec3aaa14535bde942d703da7643f527a2a689f

SHA256
59aec6944c8eb71e64769857ae28c8db40790814c23df3efe4b2c7cbb4dcd282

SHA512
1622b68b310d3fa14ea0eea0253034aa11c5f5b78c015277f45384e17db715b384d8618ac353229ccdbf2572606e880ff81576354fce89fd65b262b962ecfbc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbcb1fd41615014910f278e8f16bb77c

SHA1
f6327fcae4dafcd2a4b459f17fee0eb2814939e6

SHA256
c1a8d799e2d842f6140beac90fc8468629e4b8de18ab2b67c91429e309531d49

SHA512
0e67e93c4a5fce9bd072065b9eae71f7113bc44de11407702643b6d1d4147d4c9e7cd1991a0232710b332186a27566abff553011b81c5f944d7985011bbfd5e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc8b3994f0136864718e0cc0c01b3162

SHA1
cea01e21dcf0cd9f994fe6904a6265ea067a66a9

SHA256
e3c134966a20f12a3a35cbf4bc3901dd6d69ac900175185c8813a59673496481

SHA512
6130f4d096e46a80c37012169bfca85f34ee31c82bb9705fa95fea743cc6b64f6cf6b5b78a39fe36c1ba65ab4963a2c53dece857fd6cee56f9127d762e458cd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7714c5c5073957ee6674407353a48946

SHA1
b0fdb40a69d2a9a8f52b4a2eefa202729620b6d4

SHA256
f6ef32c2f503eaf7f9934be01e91afbb2ef80758df689132f7e503ac7471724e

SHA512
59cef359394acaa25e655acbba8903cf52ade934fe2d92810a42715dce9e87cd3c71c176a2f2f61d14a2e211174cecfeb61b0d4d8d152952f6d04c8a67b8f56a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35719d09d30ac788a67916780f56c8e0

SHA1
1b4233c4424fdc142c9d870d27e4d49d9f981fdd

SHA256
2df72b40713cd7eb5b1f476ec889d227fbd84288c26196eace7ebe855821301f

SHA512
11e57d014bda715341a9880fea622a0f2c059a0958d6539a2cefed1fcff85f7034293c2395ed327db080fece6ccac3943d9ada70f38e1fd2a7751a8015193c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cbb70088b8303f346f34fda11c4fdfa

SHA1
95a44aacb25985da72ecdce9e258d7300330022a

SHA256
2c1ae5f9a82cc73ae04ecac6aff996c9116f219254976eea99b9023af6693f2e

SHA512
9a9934b090dc4e0e476e5e7efc7eaf9ebd04f40359af43d1ed902ce58275470dfc9a83df8993408e60f68fbb3c20686d5ff5d0f1fd0cd0cc22f5ed413a5a3afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC71.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCE2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\bhs.bat

Filesize
256B

MD5
012982083320edc135c5f0182b9877fb

SHA1
1d34a70a4e12874c56c2a829aa22527f2f7a8e83

SHA256
b8e5f9b5bb571bb2900cbbea36cca0a8f0e0b53c83e976dc20a84323e297eab4

SHA512
adc8fa35141f1733b6c006798de6fbc6c7bffaa5c22be0170b9f33f180d00c87b3eb92085ef22c07fcced68b119488ff0993a2cb45e5387f2c6c1ca4040a5fa3

Download Submit
C:\Windows\ieocx.dll

Filesize
28KB

MD5
e1a315b8a09786aa198df203bf4e9d1e

SHA1
94c23a22163ef7cc34b1edd203f409aec0b0e219

SHA256
84110fdc8678dd45fce8f5ccbdd1e9432b086d438fc2d441d74547e2f0a3c559

SHA512
bb11c829f23c0c9672b97543c76ddb394e88ca45fc022fbdf44fc445b5499bfdc046e84279457713f86ce6279586c4e0aa21ff7bd3f39ce8da01e82444299b32

Download Submit
memory/536-5-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/536-8-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/536-7-0x0000000010000000-0x0000000010002000-memory.dmp

Filesize
8KB

Download
memory/536-6-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/536-9-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/576-66-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-0-0x0000000000401000-0x0000000000415000-memory.dmp

Filesize
80KB

Download
memory/576-454-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-3-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/576-14-0x0000000000401000-0x0000000000415000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads